Inter VLAN Communication is not working

UJay In this scenario, you need to add static route in the firewall.

For an IPv4 unicast route, go to Configure > Routing > Static Routing and click Add under IPv4 Unicast Route.

https://docs.sophos.com/nsg/sophos-firewall/v17.1.4/Help/en-us/webhelp/onlinehelp/index.html#page/onlinehelp%2FUnicastRouteEdit.html%23

Video link: https://www.youtube.com/watch?v=h-nu7tMfL_E

Hope this helps!

Cheers!

Hi

I tried your suggestion and still unable to cross from one VLAN to another. 

I am able to ping between gateways of each VLANs but not able to trace route or ping a specific IP address of device. 

Do you forward all VLAN's to the XG or terminates the L3-Switch the VLAN and use a transfer-subnet to communicate with XG?

... where is the gefault gateway-IP for the VLAN's located .. at the Switch or at the XG?

If XG is the gateway - you don't need additional routes.

Would be helpful you post a screenshot of XG - interfaces-list.

...

and follow the suggestion from rfcat_vk:

" On the first rule try changing the any to LAN and enable logging so you can see what if any traffic is attempting to use the firewall rule. Also please make it the top of the rule list."

check the log-viewer...

BTW: are your clients able to access the internet?

... and a common error: check the IP/subnet-mask and gateway at the NAS!!

Hi Dirk

The default gateway IP for VLANs are located at XG. 

I have done all steps rfact_vk has recommended and still no luck. When i try the POLICY TEST utility under LOG VIEWER,I can see it is picking up the first rule and getting passed as expected. But when i do a trace route, it fails. 

Yes clients are able to access internet. 

Below is a quick screen caption of interfaces. 

Hi Dirk

The default gateway IP for VLANs are located at XG. 

I have done all steps rfact_vk has recommended and still no luck. When i try the POLICY TEST utility under LOG VIEWER,I can see it is picking up the first rule and getting passed as expected. But when i do a trace route, it fails. 

Yes clients are able to access internet. 

Below is a quick screen caption of interfaces. 

Hi,

you don't have any VLANs configured on your XG so there is no way for the traffic to get from one Vlan to the other unless you enable routing in your switch to configure Vlans on the XG.

Ian

i think he have the vlans under Port1.

Hi,

you might be right, but that is a guess based on the blue line besides port 1. He was asked for his interface configuration.

Ian

Yes I do have VLANS and they are defined under Port 1 as xg-andy mentioned

Hi Ian

After deleting and recreating the VLAN and Rule, i am now able to access the NAS by using the UNC path. I am not sure what was the issue which prevent access from the previous arrangements. 

The firewall rule is same as screenshot displaying 40toLAN where Source LAN, ANY and then Destination LAN with ANY. As soon as I change ANY to specific VLANs, then i am unable to communicate with the NAS. 

I don't want some VLANs to access NAS, hence need to find a way to prevent such VLANs accessing NAS. How do i achieve that?

You need to setup firewall rules LAN "VLAN Network" LAN any allow log. I suspect you are changing the ANY to the VLAN interface IP address rather than the VLAN IP network range.

Ian

Can you please give me an example to get a better understanding of your guidance? 

VLAN interface 10.10.10.1/32 VLAN network 10.10.10.1/24

Ian

Hi Ian

Quick update to you.

I was able to use this method and restrict access by unwanted devices. Thanks for your guidance. 

At the moment i am using any for services but i want to restrict that to ports require for NAS (such as 445). I have tried with 445 and 137 as SMB ports, but no success. 

The firewall at the NAS is disabled.